SHA256
1
0
forked from pool/qemu

Accepting request 512570 from home:bfrogers:branches:Virtualization

Include latest security fixes. Also fix support statements. Also adjust to recent libvdeplug-devel package name change.

OBS-URL: https://build.opensuse.org/request/show/512570
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=350
This commit is contained in:
Bruce Rogers 2017-07-25 20:21:37 +00:00 committed by Git OBS Bridge
parent eb1e0a8392
commit 481686d650
14 changed files with 294 additions and 38 deletions

View File

@ -0,0 +1,47 @@
From 40c9dcf30be29a4d76aeb85b5510cea071423b81 Mon Sep 17 00:00:00 2001
From: Max Reitz <mreitz@redhat.com>
Date: Sun, 11 Jun 2017 14:37:14 +0200
Subject: [PATCH] qemu-nbd: Ignore SIGPIPE
qemu proper has done so for 13 years
(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have
done so for four years (526eda14a68d5b3596be715505289b541288ef2a).
Ignoring this signal is especially important in qemu-nbd because
otherwise a client can easily take down the qemu-nbd server by dropping
the connection when the server wants to send something, for example:
$ qemu-nbd -x foo -f raw -t null-co:// &
[1] 12726
$ qemu-io -c quit nbd://localhost/bar
can't open device nbd://localhost/bar: No export with name 'bar' available
[1] + 12726 broken pipe qemu-nbd -x foo -f raw -t null-co://
In this case, the client sends an NBD_OPT_ABORT and closes the
connection (because it is not required to wait for a reply), but the
server replies with an NBD_REP_ACK (because it is required to reply).
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20170611123714.31292-1-mreitz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 041e32b8d9d076980b4e35317c0339e57ab888f1)
[BR: BSC#1046636 CVE-2017-10664]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
qemu-nbd.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/qemu-nbd.c b/qemu-nbd.c
index b44764eb87..83bf9cb46c 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -581,6 +581,10 @@ int main(int argc, char **argv)
sa_sigterm.sa_handler = termsig_handler;
sigaction(SIGTERM, &sa_sigterm, NULL);
+#ifdef CONFIG_POSIX
+ signal(SIGPIPE, SIG_IGN);
+#endif
+
module_call_init(MODULE_INIT_TRACE);
qcrypto_init(&error_fatal);

View File

@ -0,0 +1,50 @@
From 416a6f3bf137b8e6782dd7c1f9563afe8ee97b19 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 9 May 2017 13:01:28 +0200
Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Don't reinvent a broken wheel, just use the hexdump function we have.
Impact: low, broken code doesn't run unless you have debug logging
enabled.
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170509110128.27261-1-kraxel@redhat.com
(cherry picked from commit bd4a683505b27adc1ac809f71e918e58573d851d)
[BR: BSC#1047674 CVE-2017-10806]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/redirect.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 0efe62f725..eb70dc7218 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
const uint8_t *data, int len)
{
- int i, j, n;
-
if (dev->debug < usbredirparser_debug_data) {
return;
}
-
- for (i = 0; i < len; i += j) {
- char buf[128];
-
- n = sprintf(buf, "%s", desc);
- for (j = 0; j < 8 && i + j < len; j++) {
- n += sprintf(buf + n, " %02X", data[i + j]);
- }
- error_report("%s", buf);
- }
+ qemu_hexdump((char *)data, stderr, desc, len);
}
/*

View File

@ -0,0 +1,43 @@
From f6658a500e003e91225f59bc2c2305c6b7d2f0d1 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Jul 2017 18:08:40 +0530
Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram
When accessing guest's ram block during DMA operation, use
'qemu_ram_ptr_length' to get ram block pointer. It ensures
that DMA operation of given length is possible; And avoids
any OOB memory access situations.
Reported-by: Alex <broscutamaker@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170712123840.29328-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 04bf2526ce87f21b32c9acba1c5518708c243ad0)
[BR: BSC#1048902 CVE-2017-11334]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
exec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/exec.c b/exec.c
index b47b3f9096..1de9107b61 100644
--- a/exec.c
+++ b/exec.c
@@ -2767,7 +2767,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
}
} else {
/* RAM case */
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
memcpy(ptr, buf, l);
invalidate_and_set_dirty(mr, addr1, l);
}
@@ -2858,7 +2858,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
}
} else {
/* RAM case */
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
memcpy(buf, ptr, l);
}

View File

@ -0,0 +1,33 @@
From 9ba94af263d7c64137cc748abd9cf3c23e07decc Mon Sep 17 00:00:00 2001
From: P J P <ppandit@redhat.com>
Date: Tue, 25 Jul 2017 13:34:29 -0600
Subject: [PATCH] slirp: check len against dhcp options array end
From: Prasad J Pandit <pjp@fedoraproject.org>
While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.
Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
[BR: BSC#1049381 CVE-2017-11434]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
slirp/bootp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/slirp/bootp.c b/slirp/bootp.c
index 5a4646c182..5dd1a415b5 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
if (p >= p_end)
break;
len = *p++;
+ if (p + len > p_end) {
+ break;
+ }
DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
switch(tag) {

View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Tue Jul 25 19:36:58 UTC 2017 - brogers@suse.com
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
* Patches added:
0069-qemu-nbd-Ignore-SIGPIPE.patch
0070-usb-redir-fix-stack-overflow-in-usb.patch
0071-exec-use-qemu_ram_ptr_length-to-acc.patch
0072-slirp-check-len-against-dhcp-option.patch
-------------------------------------------------------------------
Tue Jul 18 19:51:49 UTC 2017 - brogers@suse.com

View File

@ -94,6 +94,10 @@ Patch0065: 0065-hid-Reset-kbd-modifiers-on-reset.patch
Patch0066: 0066-input-Decrement-queue-count-on-kbd-.patch
Patch0067: 0067-xhci-only-update-dequeue-ptr-on-com.patch
Patch0068: 0068-vnc-Set-default-kbd-delay-to-10ms.patch
Patch0069: 0069-qemu-nbd-Ignore-SIGPIPE.patch
Patch0070: 0070-usb-redir-fix-stack-overflow-in-usb.patch
Patch0071: 0071-exec-use-qemu_ram_ptr_length-to-acc.patch
Patch0072: 0072-slirp-check-len-against-dhcp-option.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
Source400: update_git.sh
@ -215,6 +219,10 @@ run cross-architecture builds.
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%build
./configure \

View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Tue Jul 25 19:36:55 UTC 2017 - brogers@suse.com
- Address various security/stability issues
* Fix DOS vulnerability in qemu-nbd (bsc#1046636 CVE-2017-10664)
0069-qemu-nbd-Ignore-SIGPIPE.patch
* Fix DOS from stack overflow in debug messages of usb redirection
support (bsc#1047674 CVE-2017-10806)
0070-usb-redir-fix-stack-overflow-in-usb.patch
* Fix OOB access during DMA operation (CVE-2017-11334 bsc#1048902)
0071-exec-use-qemu_ram_ptr_length-to-acc.patch
* Fix OOB access parsing dhcp slirp options (CVE-2017-11434 bsc#1049381)
0072-slirp-check-len-against-dhcp-option.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
-------------------------------------------------------------------
Tue Jul 25 16:51:20 UTC 2017 - brogers@suse.com
- Fix support docs to indicate ARM64 is now fully L3 supported in
SLES 12 SP3. Apply a few additional clarifications in the support
docs. (bsc#1050268)
- Adjust to libvdeplug-devel package naming changes.
-------------------------------------------------------------------
Tue Jul 18 19:51:45 UTC 2017 - brogers@suse.com

View File

@ -198,6 +198,10 @@ Patch0065: 0065-hid-Reset-kbd-modifiers-on-reset.patch
Patch0066: 0066-input-Decrement-queue-count-on-kbd-.patch
Patch0067: 0067-xhci-only-update-dequeue-ptr-on-com.patch
Patch0068: 0068-vnc-Set-default-kbd-delay-to-10ms.patch
Patch0069: 0069-qemu-nbd-Ignore-SIGPIPE.patch
Patch0070: 0070-usb-redir-fix-stack-overflow-in-usb.patch
Patch0071: 0071-exec-use-qemu_ram_ptr_length-to-acc.patch
Patch0072: 0072-slirp-check-len-against-dhcp-option.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -334,7 +338,11 @@ BuildRequires: libssh2-devel
%if 0%{?suse_version} > 1310
BuildRequires: libusb-1_0-devel
%endif
%if 0%{?suse_version} > 1320
BuildRequires: libvdeplug-devel
%else
BuildRequires: libvdeplug3-devel
%endif
BuildRequires: lzo-devel
%if 0%{?suse_version} > 1220
BuildRequires: makeinfo
@ -914,6 +922,10 @@ This package provides a service file for starting and stopping KSM.
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
pushd roms/ipxe
%patch1100 -p1

View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Tue Jul 25 19:36:55 UTC 2017 - brogers@suse.com
- Address various security/stability issues
* Fix DOS vulnerability in qemu-nbd (bsc#1046636 CVE-2017-10664)
0069-qemu-nbd-Ignore-SIGPIPE.patch
* Fix DOS from stack overflow in debug messages of usb redirection
support (bsc#1047674 CVE-2017-10806)
0070-usb-redir-fix-stack-overflow-in-usb.patch
* Fix OOB access during DMA operation (CVE-2017-11334 bsc#1048902)
0071-exec-use-qemu_ram_ptr_length-to-acc.patch
* Fix OOB access parsing dhcp slirp options (CVE-2017-11434 bsc#1049381)
0072-slirp-check-len-against-dhcp-option.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
-------------------------------------------------------------------
Tue Jul 25 16:51:20 UTC 2017 - brogers@suse.com
- Fix support docs to indicate ARM64 is now fully L3 supported in
SLES 12 SP3. Apply a few additional clarifications in the support
docs. (bsc#1050268)
- Adjust to libvdeplug-devel package naming changes.
-------------------------------------------------------------------
Tue Jul 18 19:51:45 UTC 2017 - brogers@suse.com

View File

@ -198,6 +198,10 @@ Patch0065: 0065-hid-Reset-kbd-modifiers-on-reset.patch
Patch0066: 0066-input-Decrement-queue-count-on-kbd-.patch
Patch0067: 0067-xhci-only-update-dequeue-ptr-on-com.patch
Patch0068: 0068-vnc-Set-default-kbd-delay-to-10ms.patch
Patch0069: 0069-qemu-nbd-Ignore-SIGPIPE.patch
Patch0070: 0070-usb-redir-fix-stack-overflow-in-usb.patch
Patch0071: 0071-exec-use-qemu_ram_ptr_length-to-acc.patch
Patch0072: 0072-slirp-check-len-against-dhcp-option.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -334,7 +338,11 @@ BuildRequires: libssh2-devel
%if 0%{?suse_version} > 1310
BuildRequires: libusb-1_0-devel
%endif
%if 0%{?suse_version} > 1320
BuildRequires: libvdeplug-devel
%else
BuildRequires: libvdeplug3-devel
%endif
BuildRequires: lzo-devel
%if 0%{?suse_version} > 1220
BuildRequires: makeinfo
@ -914,6 +922,10 @@ This package provides a service file for starting and stopping KSM.
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
pushd roms/ipxe
%patch1100 -p1

View File

@ -267,7 +267,11 @@ BuildRequires: libssh2-devel
%if 0%{?suse_version} > 1310
BuildRequires: libusb-1_0-devel
%endif
%if 0%{?suse_version} > 1320
BuildRequires: libvdeplug-devel
%else
BuildRequires: libvdeplug3-devel
%endif
BuildRequires: lzo-devel
%if 0%{?suse_version} > 1220
BuildRequires: makeinfo
@ -315,14 +319,14 @@ BuildRequires: zlib-devel
%if "%{name}" == "qemu-testsuite"
BuildRequires: bc
BuildRequires: qemu-arm = %version
BuildRequires: qemu-block-curl = %version
BuildRequires: qemu-block-dmg = %version
BuildRequires: qemu-extra = %version
BuildRequires: qemu-guest-agent = %version
BuildRequires: qemu-ppc = %version
BuildRequires: qemu-s390 = %version
BuildRequires: qemu-tools = %version
BuildRequires: qemu-x86 = %version
BuildRequires: qemu-block-curl = %version
BuildRequires: qemu-block-dmg = %version
%if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315
BuildRequires: qemu-block-gluster = %version
%endif

View File

@ -10,13 +10,12 @@ Overview
quality or value. The linux kernel includes components which contribute KVM
virtualization features as well. This document was created to assist the user
in deciding which features can be relied upon to build enterprise class
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64)
and for IBM System z (s390x) are offered at the L3 (full support) level,
while KVM for the ARM64 architecture (AArch64) is L3 supported for certain
partner-specific use cases. The bulk of this document deals with L3 supported
features and is primarily ARM64 centric. This document should be considered a
companion to the standard virtualization documentation delivered with the
product.
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64),
for IBM System z (s390x) and for the ARM64 architecture (AArch64) are offered
at the L3 (full support) level. The bulk of this document deals with L3
supported features and is primarily ARM64 centric. This document should be
considered a companion to the standard virtualization documentation delivered
with the product.
KVM is implemented in linux kernel modules which enable the linux kernel to
function as an integral part of the KVM hypervisor. The hypervisor-guest
@ -57,9 +56,6 @@ Major QEMU/KVM Supported Features
Since a KVM guest runs in the context of a normal linux process, some types
of execution controls are managed with linux tools.
- Various standard vCPU types are available, along with the ability to specify
individual CPU features visible to the guest.
- QEMU is compatible with EDK based UEFI firmware available with SLES12-SP3,
which allow boot options common to physical systems along with other features
tailored to virtualization. Various VGABIOS ROMs, from the SEABIOS project,
@ -79,8 +75,8 @@ Major QEMU/KVM Supported Features
take place either from certain prior SLES versioned hosts to a SLES 12 SP3
or between hosts of the same version. Certain other restrictions also apply.
- Security considerations include seccomp2 based sandboxing, privileged
helpers and a security model which allows running guests as a non-root user.
- Security considerations include privileged helpers and a security model which
allows running guests as a non-root user.
- QEMU provides best effort reuse of existing disk images, including those with
systems installed, through geometry probing. Also disk images produced by

View File

@ -10,21 +10,20 @@ Overview
quality or value. The linux kernel includes components which contribute KVM
virtualization features as well. This document was created to assist the user
in deciding which features can be relied upon to build enterprise class
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64)
and for IBM System z (s390x) are offered at the L3 (full support) level,
while KVM for the ARM64 architecture (AArch64) is L3 supported for certain
partner-specific use cases. The bulk of this document deals with L3 supported
features and is primarily s390x centric. This document should be considered a
companion to the standard virtualization documentation delivered with the
product.
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64),
for IBM System z (s390x) and for the ARM64 architecture (AArch64) are offered
at the L3 (full support) level. The bulk of this document deals with L3
supported features and is primarily s390x centric. This document should be
considered a companion to the standard virtualization documentation delivered
with the product.
KVM is implemented in linux kernel modules which enable the linux kernel to
function as an integral part of the KVM hypervisor. The hypervisor-guest
interaction is managed by QEMU through the /dev/kvm ioctl interface. The linux
host assists in the virtualization of storage, networking and display
resources as well as allowing direct hardware passthrough of PCI and USB
devices. Linux memory and cpu management features are used by QEMU/KVM to
enable guests to share those host resources as efficiently as possible.
resources as well as allowing direct hardware passthrough of PCI devices.
Linux memory and cpu management features are used by QEMU/KVM to enable guests
to share those host resources as efficiently as possible.
QEMU is a primary component of KVM based virtualization. The legacy qemu-kvm
program is provided for continuity with pre SLES 12 usage, including in
@ -59,9 +58,6 @@ Major QEMU/KVM Supported Features
Since a KVM guest runs in the context of a normal linux process, some types
of execution controls are managed with linux tools.
- Various standard vCPU types are available, along with the ability to specify
individual CPU features visible to the guest.
- QEMU incorporates virtualized, 390 specific, ccw bus based firmware for
booting s390 guests. This firmware is automatically incorporated and
doesn't need to be explicitly referenced.
@ -80,8 +76,8 @@ Major QEMU/KVM Supported Features
take place either from certain prior SLES versioned hosts to a SLES 12 SP3
or between hosts of the same version. Certain other restrictions also apply.
- Security considerations include seccomp2 based sandboxing, privileged
helpers and a security model which allows running guests as a non-root user.
- Security considerations include privileged helpers and a security model which
allows running guests as a non-root user.
- QEMU provides best effort reuse of existing disk images, including those with
systems installed, through geometry probing. Also disk images produced by
@ -97,8 +93,8 @@ Major QEMU/KVM Supported Features
- Guest performance is enhanced through the use of virtio devices, various disk
caching modes, network acceleration via the vhost-net kernel module, multi-
queue network transmit capabilities, host transparent huge pages (THP) and
direct hugetlb usage. Physical PCI and USB devices may also be passed through
to the guest, including SR-IOV VF's.
direct hugetlb usage. Physical PCI devices may also be passed through to the
guest, including SR-IOV VF's.
- The guest UI is accessable via GTK, SDL, VNC, Spice, and serial (including
curses TUI) interfaces.

View File

@ -10,13 +10,12 @@ Overview
quality or value. The linux kernel includes components which contribute KVM
virtualization features as well. This document was created to assist the user
in deciding which features can be relied upon to build enterprise class
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64)
and for IBM System z (s390x) are offered at the L3 (full support) level,
while KVM for the ARM64 architecture (AArch64) is L3 supported for certain
partner-specific use cases. The bulk of this document deals with L3 supported
features and is primarily x86 centric. This document should be considered a
companion to the standard virtualization documentation delivered with the
product.
virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64),
for IBM System z (s390x) and for the ARM64 architecture (AArch64) are offered
at the L3 (full support) level. The bulk of this document deals with L3
supported features and is primarily x86 centric. This document should be
considered a companion to the standard virtualization documentation delivered
with the product.
KVM is implemented in linux kernel modules which enable the linux kernel to
function as an integral part of the KVM hypervisor. The hypervisor-guest